CompTIA Security+ SY0-601 (Section 5.0 Governance, Risk and Compliance)

Business Impact Analysis - Site risk assessment

• All locations are a bit different - Even those designed to be similar • Recovery plans should consider unique environments - Applications - Personnel - Equipment - Work environment

Credential Policies - Credential management

• All that stands between the outside world and all of the data - The data is everything • Passwords must not be embedded in the application - Everything needs to reside on the server, not the client • Communication across the network should be encrypted - Authentication traffic should be impossible to see

Data Roles and Responsibilities - Data responsibility

• High-level data relationships - Organizational responsibilities, not always technical • Data owner - Accountable for specific data, often a senior officer - VP of Sales owns the customer relationship data - Treasurer owns the financial information

Organizational Policies - Change management

• How to make a change - Upgrade software, change firewall configuration, modify switch ports • One of the most common risks in the enterprise - Occurs very frequently • Often overlooked or ignored - Did you feel that bite? • Have clear policies - Frequency, duration, installation process, fallback procedures • Sometimes extremely difficult to implement - It's hard to change corporate culture

Security Regulations and Standards - PCI DSS

• Payment Card Industry - Data Security Standard (PCI DSS) - A standard for protecting credit cards • Six control objectives - Build and maintain a secure network and systems - Protect cardholder data - Maintain a vulnerability management program - Implement strong access control measures - Regularly monitor and test networks - Maintain an information security policy

Secure Configurations - Application server

• Programming languages, runtime libraries, etc. - Usually between the web server and the database - Middleware • Very specific functionality - Disable all unnecessary services • Operating system updates - Security patches • File permissions and access controls - Limit rights to what's required - Limit access from other devices

Personnel Security - Least privilege

• Rights and permissions should be set to the bare minimum - You only get exactly what's needed to complete your objective • All user accounts must be limited - Applications should run with minimal privileges • Don't allow users to run with administrative privileges - Limits the scope of malicious behavior

Risk Analysis - Risk control assessment

• Risk has been determined - Heat maps have been created • Time to build cybersecurity requirements - Based on the identified risks • Find the gap - Often requires a formal audit - Self-assessments may be an option • Build and maintain security systems based on the requirements - The organizational risk determines the proper controls • Determine if existing controls are compliant or noncompliant - Make plans to bring everything into compliance

Secure Configurations - Network infrastructure devices

• Switches, routers, firewalls, IPS, etc. - You never see them, but they're always there • Purpose-built devices - Embedded OS, limited OS access • Configure authentication - Don't use the defaults • Check with the manufacturer - Security updates - Not usually updated frequently - Updates are usually important

Privacy and Data Breaches - Notices

• Terms of service - Terms of use, terms and conditions (T&C) - Legal agreement between service provider and user - User must agree to the terms to use the service • Privacy notice, privacy policy - May be required by law - Documents the handling of personal data - May provide additional data options and contact information

Security Frameworks - SSAE SOC 2 Type I/II

• The American Institute of Certified Public Accountants (AICPA) auditing standard Statement on Standards for Attestation Engagements number 18 (SSAE 18) • SOC 2 - Trust Services Criteria (security controls) - Firewalls, intrusion detection, and multi-factor authentication • Type I audit - Tests controls in place at a particular point in time • Type II - Tests controls over a period of at least six consecutive months

Third-party Risk Management - Supply chain

• The system involved when creating a product - Involves organizations, people, activities, and resources • Supply chain assessment - Get a product or service from supplier to customer - Evaluate coordination between groups - Identify areas of improvement - Assess the IT systems supporting the operation - Document the business process changes • New laptops arrive with bundled malware - Lenovo, August 2014 through early 2015 - Superfish software added a self-signed root cert (!) - Allowed for on-path attacks when browsing any site, including over HTTPS

Risk Analysis - Risk awareness

• A constantly changing battlefield - New risks, emerging risks - A nearly overwhelming amount of information - Difficult to manage a defense • Knowledge is key - Part of every employee's daily job role - Part of the onboarding process for employees and partners • Maintaining awareness - Ongoing group discussions - Presentations from law enforcement - Attend security conferences and programs

Organizational Policies - Change control

• A formal process for managing change - Avoid downtime, confusion, and mistakes • Nothing changes without the process - Determine the scope of the change - Analyze the risk associated with the change - Create a plan - Get end-user approval - Present the proposal to the change control board - Have a backout plan if the change doesn't work - Document the changes

Business Impact Analysis - Removing single points of failure

• A single event can ruin your day - Unless you make some plans • Network configuration - Multiple devices (the "Noah's Ark" of networking) • Facility / Utilities - Backup power, multiple cooling devices • People / Location - A good hurricane can disrupt personnel travel • There's no practical way to remove all points of failure - Money drives redundancy

Risk Management Types - Risk management strategies

• Acceptance - A business decision; we'll take the risk! • Risk-avoidance - Stop participating in a high-risk activity • Transference - Buy some cybersecurity insurance • Mitigation - Decrease the risk level - Invest in security systems

Secure Configurations - Web server hardening

• Access a server with your browser - The fundamental server on the Internet - Microsoft Internet Information Server, Apache HTTP Server, et al. • Huge potential for access issues - Data leaks, server access • Secure configuration - Information leakage: Banner information, directory browsing - Permissions: Run from a non-privileged account, configure file permissions - Configure SSL: Manage and install certificates - Log files: Monitor access and error logs

Credential Policies - Device accounts

• Access to devices - Mobile devices • Local security - Device certificate - Require screen locks and unlocking standards - Manage through a Mobile Device Manager (MDM) • Add additional security - Geography-based - Include additional authentication factors - Associate a device with a user

Credential Policies - Third-party accounts

• Access to external third-party systems - Cloud platforms for payroll, enterprise resource planning, etc. • Third-party access to corporate systems - Access can come from anywhere • Add additional layers of security - 2FA (two factor authentication) - Audit the security posture of third-parties • Don't allow account sharing - All users should have their own account

Personnel Security - Off-boarding

• All good things... (But you knew this day would come) • This process should be pre-planned - You don't want to decide how to do things at this point • What happens to the hardware and the data? • Account information is usually deactivated - But not always deleted

Privacy and Data Breaches - Privacy impact assessment (PIA)

• Almost everything can affect privacy - New business relationships, product updates, website features, service offering • Privacy risk needs to be identified in each initiative - How could the process compromise customer privacy? • Advantages - Fix privacy issues before they become a problem - Provides evidence of a focus on privacy - Avoid data breach - Shows the importance of privacy to everyone

Credential Policies - Personnel accounts

• An account on a computer associated with a specific person - The computer associates the user with a specific identification number • Storage and files can be private to that user - Even if another person is using the same computer • No privileged access to the operating system - Specifically not allowed on a user account • This is the account type most people will use - Your user community

Personnel Security - Background checks

• Background checks - Pre-employment screening - Verify the applicant's claims - Discover criminal history, workers compensation claims, etc. - Legalities vary by country • Adverse actions - An action that denies employment based on the background check - May require extensive documentation - Can also include existing employees

Personnel Security - Role-based security awareness training

• Before providing access, train your users - Detailed security requirements • Specialized training - Each user role has unique security responsibilities • Also applies to third-parties - Contractors, partners, suppliers • Detailed documentation and records - Problems later can be severe for everyone

Risk Management Types - Multi-party risk

• Breaches involving multiple parties - Often trusted business relationships - Events often involve many different parties • May 2019 - American Medical Collection Agency - Provided debt collection for many different organizations - Data breach disclosed personal information on 24 million individuals - Twenty-three healthcare organizations affected by this single breach - A single breach can cause a ripple effect

Personnel Security - On-boarding

• Bring a new person into the organization - New hires or transfers • IT agreements need to be signed - May be part of the employee handbook or a separate AUP • Create accounts - Associate the user with the proper groups and departments • Provide required IT hardware - Laptops, tablets, etc. - Preconfigured and ready to go

Security Frameworks - Center for Internet Security (CIS)

• Center for Internet Security - Critical Security Controls for - Effective Cyber Defense - CIS CSC • Improve cyber defenses - Twenty key actions (the critical security controls) - Categorized for different organization sizes • Designed for implementation - Written for IT professionals - Includes practical and actionable tasks

Security Regulations and Standards - Compliance

• Compliance - Meeting the standards of laws, policies, and regulations • A healthy catalog of regulations and laws - Across many aspects of business and life - Many are industry-specific or situational • Penalties - Fines, incarceration, loss of employment • Scope - Covers national, territory, or state laws - Domestic and international requirements

Third-party Risk Management - Non-disclosure agreement (NDA)

• Confidentiality agreement between parties - Information in the agreement should not be disclosed • Protects confidential information - Trade secrets - Business activities - Anything else listed in the NDA • Unilateral or bilateral (or multilateral) - On-way NDA or mutual NDA • Formal contract - Signatures are usually required

Privacy and Data Breaches - Information life cycle

• Creation and receipt - Create data internally or receive data from a third-party • Distribution - Records are sorted and stored • Use - Make business decisions, create products and services • Maintenance - Ongoing data retrieval and data transfers • Disposition - Archiving or disposal of data

Data Roles and Responsibilities - Data roles

• Data controller - Manages the purposes and means by which personal data is processed • Data processor - Processes data on behalf of the data controller - Often a third-party or different group • Payroll controller and processor - Payroll department (data controller) defines payroll amounts and timeframes - Payroll company (data processor) processes payroll and stores employee information

Data Roles and Responsibilities - Additional data roles

• Data custodian/steward - Responsible for data accuracy, privacy, and security - Associates sensitivity labels to the data - Ensures compliance with any applicable laws and standards - Manages the access rights to the data - Implements security controls • Data protection officer (DPO) - Responsible for the organization's data privacy - Sets policies, implements processes and procedures

Enhancing privacy - Data masking

• Data obfuscation - Hide some of the original data • Protects PII - And other sensitive data • May only be hidden from view - The data may still be intact in storage - Control the view based on permissions • Many different techniques - Substituting, shuffling, encrypting, masking out, etc.

Business Impact Analysis - Disaster recovery plan (DRP)

• Detailed plan for resuming operations after a disaster - Application, data center, building, campus, region, etc. • Extensive planning prior to the disaster - Backups - Off-site data replication - Cloud alternatives - Remote site • Many third-party options - Physical locations - Recovery services

Credential Policies - Administrator/root accounts

• Elevated access to one or more systems - Super user access • Complete access to the system - Often used to manage hardware, drivers, and software installation • This account should not be used for normal administration - User accounts should be used • Needs to be highly secured - Strong passwords, 2FA - Scheduled password changes

Third-party Risk Management - Product support lifetime

• End of life (EOL) - Manufacturer stops selling a product - May continue supporting the product - Important for security patches and updates • End of service life (EOSL) - Manufacturer stops selling a product - Support is no longer available for the product - No ongoing security patches or updates - May have a premium-cost support option • Technology EOSL is a significant concern - Security patches are part of normal operation

Risk Analysis - Disaster types

• Environmental threats - Tornado, hurricane, earthquake, severe weather • Person-made threats - Human intent, negligence, or error - Arson, crime, civil disorder, fires, riots, etc. • Internal and external - Internal threats are from employees - External threats are from outside the organization

Security Regulations and Standards - GDPR (General Data Protection Regulation)

• European Union regulation - Data protection and privacy for individuals in the EU - Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer's IP address, etc. • Controls export of personal data - Users can decide where their data goes • Gives individuals control of their personal data - A right to be forgotten • Site privacy policy - Details all of the privacy rights for a user

Third-party Risk Management - Vendors

• Every organization works with vendors - Payroll, customer relationship management, email marketing, travel, raw materials • Important company data is often shared - May be required for cloud-based services • Perform a risk assessment - Categorize risk by vendor and manage the risk • Use contracts for clear understanding - Make sure everyone understands the expectations - Use the contract to enforce a secure environment

Third-party Risk Management - Target credit card breach - November 2013

• Every point of sale terminal infected - A third-party was allowed in through lapses in security policy • A vendor was infected through an email attachment - The vendor didn't have or follow a security policy for their workstations • Target didn't segment the vendor network from the corporate - The attackers jumped from the vendor to the Target network • The corporate network was not segmented from point of sale (POS) terminals - Once on the inside, it was relatively easy to get to your credit card numbers - (110 million card numbers)

Risk Management Types - Risk assessments

• External threats - Outside the organization - Hacker groups, former employees • Internal threats - Employees and partners - Disgruntled employees • Legacy systems - Outdated, older technologies - May not be supported by the manufacturer - May not have security updates - Depending on the age, may not be easily accessible • Intellectual Property (IP) theft - Theft of ideas, inventions, and creative expressions - Human error, hacking, employees with access, etc. - Identify and protect IP - Educate employees and increase security • Software compliance/licensing - Operational risk with too few licenses - Financial risk with budgeting and over-allocated licenses - Legal risk if proper licensing is not followed

Personnel Security - User training

• Gamification - Score points, compete with others, collect badges • Capture the flag (CTF) - Security competition - Hack into a server to steal data (the flag) - Can involve highly technical simulations - A practical learning environment • Phishing simulation - Send simulated phishing emails - Make vishing calls - See which users are susceptible to phishing attacks without being a victim of phishing • Computer-based training (CBT) - Automated pre-built training - May include video, audio, and Q&A - Users all receive the same training experience

Organizational Policies - Asset management

• Identify and track computing assets - Usually an automated process • Respond faster to security problem - You know who, what, and where • Keep an eye on the most valuable assets - Both hardware and data • Track licenses - You know exactly how many you'll need • Verify that all devices are up to date - Security patches, anti-malware signature updates, etc.

Risk Management Types - Risk assessment

• Identify assets that could be affected by an attack - Define the risk associated with each asset - Hardware, customer data, intellectual property • Identify threats - Loss of data, disruption of services, etc. • Determine the risk - High, medium, or low risk • Assess the total risk to the organization - Make future security plans

Managing Data - Data classification

• Identify data types - Personal, public, restricted, etc. - Use and protect data efficiently • Associate governance controls to the classification levels - How the data class should be managed • Data compliance - Laws and regulations regarding certain types of data - GDPR - General Data Protection Regulation

Risk Analysis - Qualitative risk assessment

• Identify significant risk factors - Ask opinions about the significance - Display visually with traffic light grid or similar method

Business Impact Analysis - Mission-essential functions

• If a hurricane blew through, what functions would be essential to the organization? - That's where you start your analysis - These are broad business requirements • What computing systems are required for these mission-essential business functions? - Identify the critical systems

Risk Analysis - Audit risk model

• Inherent risk - Impact + Likelihood - Risk that exists in the absence of controls - Some models include the existing set of controls • Residual risk - Inherent risk + control effectiveness - Risk that exists after controls are considered - Some models base it on including additional controls • Risk appetite - The amount of risk an organization is willing to take

Privacy and Data Breaches - Notification

• Internal escalation process - Breaches are often found by technicians - Provide a process for making those findings known • External escalation process - Know when to ask for assistance from external resources - Security experts can find and stop an active breach • Public notifications and disclosures - Refer to security breach notification laws - All 50 US states, EU, Australia, etc. - Delays might be allowed for criminal investigations

Security Frameworks - ISO/IEC frameworks

• International Organization for Standardization / - International Electrotechnical Commission • ISO/IEC 27001 - Standard for an Information Security Management System (ISMS) • ISO/IEC 27002 - Code of practice for information security controls • ISO/IEC 27701 - Privacy Information Management Systems (PIMS) • ISO 31000 - International standards for risk management practices

Personnel Security - Business policies

• Job rotation - Keep people moving between responsibilities - No one person maintains control for long periods of time • Mandatory vacations - Rotate others through the job - The longer the vacation, the better chance to identify fraud - Especially important in high-security environments • Separation of duties - Split knowledge - No one person has all of the details - Half of a safe combination - Dual control - Two people must be present to perform the business function - Two keys open a safe (or launch a missile) • Clean desk policy - When you leave, nothing is on your desk - Limit the exposure of sensitive data to third-parties

Managing Data - Data retention

• Keep files that change frequently for version control - Files change often - Keep at least a week, perhaps more • Recover from virus infection - Infection may not be identified immediately - May need to retain 30 days of backups • Often legal requirements for data retention - Email storage may be required over years - Some industries must legally store certain data types - Different data types have different storage requirements - Corporate tax information, customer PII, tape backups, etc.

Business Impact Analysis - Impact

• Life - The most important consideration • Property - The risk to buildings and assets • Safety - Some environments are too dangerous to work • Finance - The resulting financial cost • Reputation - An event can cause status or character problems

Enhancing privacy - Anonymization

• Make it impossible to identify individual data from a dataset - Allows for data use without privacy concerns • Many different anonymization techniques - Hashing, masking, etc. • Convert from detailed customer purchase data - Remove name, address, change phone number to ### ### #### - Keep product name, quantity, total, and sale date • Anonymization cannot be reversed - No way to associate the data to a user

Security Controls - Control categories

• Managerial controls - Controls that address security design and implementation - Security policies, standard operating procedures • Operational controls - Controls that are implemented by people - Security guards, awareness programs • Technical controls - Controls implemented using systems - Operating system controls - Firewalls, anti-virus

Secure Configurations - Operating system hardening

• Many and varied - Windows, Linux, iOS, Android, et al. • Updates - Operating system updates/service packs, security patches • User accounts - Minimum password lengths and complexity - Account limitations • Network access and security - Limit network access • Monitor and secure - Anti-virus, anti-malware

Risk Analysis - Regulations that affect risk posture

• Many of them - Regulations tend to regulate • Regulations directly associated to cybersecurity - Protection of personal information, disclosure of information breaches - Requires a minimum level of information security • HIPAA - Health Insurance Portability and Accountability Act - Privacy of patient records - New storage requirements, network security, protect against threats • GDPR - General Data Protection Regulation - European Union data protection and privacy - Personal data must be protected and managed for privacy

Enhancing privacy - Data minimization

• Minimal data collection - Only collect and retain necessary data • Included in many regulations - HIPAA has a "Minimum Necessary" rule - GDPR - "Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed." • Some information may not be required - Do you need a telephone number or address? • Internal data use should be limited - Only access data required for the task

Third-party Risk Management - Business partners

• Much closer to your data than a vendor - May require direct access - May be a larger security concern than an outside hacker • Often involves communication over a trusted connection - More difficult to identify malicious activity • Partner risk management should be included - Requirements for best practices, data handling, intellectual property • Include additional security between partners - Firewalls and traffic filters

Personnel Security - Personnel security procedures

• NDA (Non-disclosure agreement) - Confidentiality agreement / Legal contract - Prevents the use and dissemination of confidential information • Social media analysis - Gather data from social media - Facebook, Twitter, LinkedIn, Instagram - Build a personal profile - Another data point when making a hiring decision

Security Frameworks - NIST CSF

• National Institute of Standards and Technology - Cybersecurity Framework (CSF) - A voluntary commercial framework • Framework Core - Identify, Protect, Detect, Respond, and Recover • Framework Implementation Tiers - An organization's view of cybersecurity risk and processes to manage the risk • Framework Profile - The alignment of standards, guidelines, and practices to the Framework Core

Security Frameworks - NIST RMF

• National Institute of Standards and Technology - Risk Management Framework (RMF) - Mandatory for US federal agencies and organizations that handle federal data • Six step process - Step 1: Categorize - Define the environment - Step 2: Select - Pick appropriate controls - Step 3: Implement - Define proper implementation - Step 4: Assess - Determine if controls are working - Step 5: Authorize - Make a decision to authorize a system - Step 6: Monitor - Check for ongoing compliance

Secure Configurations

• No system is secure with the default configurations - You need some guidelines to keep everything safe • Hardening guides are specific to the software or platform - Get feedback from the manufacturer or Internet interest group - They'll have the best details • Other general-purpose guides are available online

Data Classifications - Labeling sensitive data

• Not all data has the same level of sensitivity - License tag numbers vs. health records • Different levels require different security and handling - Additional permissions - A different process to view - Restricted network access

Security Controls - Control types

• Preventive - Physically control access - Door lock - Security guard - Firewall • Detective - May not prevent access - Identifies and records any intrusion attempt - Motion detector, IDS/IPS • Corrective - Designed to mitigate damage - IPS can block an attacker - Backups can mitigate a ransomware infection - A backup site can provide options when a storm hits • Deterrent - May not directly prevent access - Discourages an intrusion attempt - Warning signs, login banner • Compensating - Doesn't prevent an attack - Restores using other means - Re-image or restore from backup - Hot site - Backup power system • Physical - Fences, locks, mantraps - Real-world security

Data Classifications - Data classifications

• Proprietary - Data that is the property of an organization - May also include trade secrets - Often data unique to an organization • PII - Personally Identifiable Information - Data that can be used to identify an individual - Name, date of birth, mother's maiden name, biometric information • PHI - Protected Health Information - Health information associated with an individual - Health status, health care records, payments for health care, and much more • Public / Unclassified - No restrictions on viewing the data • Private / Classified / Restricted / Internal use only - Restricted access, may require a non-disclosure agreement (NDA) • Sensitive - Intellectual property, PII, PHI • Confidential - Very sensitive, must be approved to view • Critical - Data should always be available • Financial information - Internal company financial information - Customer financial details • Government data - Open data - Transfer between government entities - May be protected by law • Customer data - Data associated with customers - May include user-specific details - Legal handling requirements

Enhancing privacy - Pseudo-anonymization

• Pseudonymization - Replace personal information with pseudonyms - Often used to maintain statistical relationships • May be reversible - Hide the personal data for daily use or in case of breach - Convert it back for other processes • Random replacement - James Messer -> Jack O'Neill -> Sam Carter -> Daniel Jackson • Consistent replacements - James Messer is always converted to George Hammond

Business Impact Analysis - Functional recovery plans

• Recover from an outage - Step-by-step guide • Contact information - Someone is on-call - Keep everyone up to date • Technical process - Reference the knowledge base - Follow the internal processes • Recover and test - Confirm normal operation

Business Impact Analysis - Recovery

• Recovery time objective (RTO) - Get up and running quickly - Get back to a particular service level • Recovery point objective (RPO) - How much data loss is acceptable? - Bring the system back online; how far back does data go? • Mean time to repair (MTTR) - Time required to fix the issue • Mean time between failures (MTBF) - Predict the time between outages

Enhancing privacy - Tokenization

• Replace sensitive data with a non-sensitive placeholder - SSN 266-12-1112 is now 691-61-8539 • Common with credit card processing - Use a temporary token during payment - An attacker capturing the card numbers can't use them later • This isn't encryption or hashing - The original data and token aren't mathematically related - No encryption overhead

Privacy and Data Breaches - Consequences

• Reputation damage - Opinion of the organization becomes negative - Can have an impact on products or services - Can impact stock price • Identity theft - Company and/or customers information becomes public - May require public disclosure - Credit monitoring costs • Fines - Uber - Data breach in 2016 wasn't disclosed - Uber paid the hackers $100,000 instead - Lawsuit settlement was $148 million • Equifax - 2017 data breach - Government fines were approximately $700 million • Intellectual Property (IP) theft - Stealing company secrets - Can put an organization out of business

Risk Analysis - Evaluating risk

• Risk register - Every project has a plan, but also has risk - Identify and document the risk associated with each step - Apply possible solutions to the identified risks - Monitor the results • Risk matrix / risk heat map - View the results of the risk assessment - Visually identify risk based on color - Combines the likelihood of an event with the potential impact - Assists with making strategic decisions

Managing Data - Data governance

• Rules, processes, and accountability associated with an organization's data - Data is used in the right ways • Data steward - Manages the governance processes - Responsible for data accuracy, privacy, and security - Associates sensitivity labels to the data - Ensures compliance with any applicable laws and standards • Formal rules for data - Everyone must know and follow the processes

Security Frameworks

• Secure your data. - Where do you start? What are the best practices? - If only there was a book. • Often a complex problem - Unique organizational requirements - Compliance and regulatory requirements - Many different processes and tools are available • Use a security framework - Documented processes - A guide for creating a security program - Define tasks and prioritize projects

Security Frameworks - Cloud Security Alliance (CSA)

• Security in cloud computing - Not-for-profit organization • Cloud Controls Matrix (CCM) - Cloud-specific security controls - Controls are mapped to standards, best practices, and regulations • Enterprise Architecture - Methodology and tools - Assess internal IT groups and cloud providers - Determine security capabilities - Build a roadmap

Security Controls

• Security risks are out there - Many different types to consider • Assets are also varied - Data, physical property, computer systems • Prevent security events, minimize the impact, and limit the damage - Security controls

Third-party Risk Management - Common agreements

• Service Level Agreement (SLA) - Minimum terms for services provided - Uptime, response time agreement, etc. - Commonly used between customers and service providers • Memorandum of Understanding (MOU) - Both sides agree on the contents of the memorandum - Usually includes statements of confidentiality - Informal letter of intent; not a signed contract • Measurement system analysis (MSA) - Don't make decisions based on incorrect data! - Used with quality management systems, i.e., Six Sigma - Assess the measurement process - Calculate measurement uncertainty • Business Partnership Agreement (BPA) - Going into business together - Owner stake - Financial contract - Decision-making agreements - Prepare for contingencies

Credential Policies - Service accounts

• Used exclusively by services running on a computer - No interactive/user access (ideally) - Web server, database server, etc. • Access can be defined for a specific service - Web server rights and permissions will be different than a database server • Commonly use usernames and passwords - You'll need to determine the best policy for password updates

Personnel Security - Acceptable use policies (AUP)

• What is acceptable use of company assets? - Detailed documentation - May be documented in the Rules of Behavior • Covers many topics - Internet use, telephones, computers, mobile devices, etc. • Used by an organization to limit legal liability - If someone is dismissed, these are the well documented reasons why